1. F5 – TMOS Administration
Exam 201 Study Guide
I have included a lot of good information listed by Rich Hill at veritablenetworks.blogspot.com
http://veritablenetworks.blogspot.com/2012_12_01_archive.html
Section 1: 19% Troubleshootbasic virtual server connectivity issues
Objective 1.01
Given a connectivity troubleshooting situation, consider the packet and
virtual server processing order
- Explainhowa packetisprocessonce it arrivesat a device (connectiontable,packetfilters,etc.)
o Existing connection inconnectiontable
o Packet filter rule
o Virtual server
<address>:<port>
<address>:*
<network>:<port>
<network>:*
*:<port>
*:*
o SNAT
o NAT
o Self-IP
o Drop
- Explainhowa virtual serverprocessesarequest(mostspecifictoleastspecific)
o When determining the order ofprecedenceapplied to new inbound connections, the BIG-IP uses an algorithmwhich
places a higher precedenceon the address netmask and a lesser emphasis on theport. BIG-IP sets virtual server
precedence according to thefollowing criteria:
The first precedent ofthealgorithmchooses the virtual serverthat has thelongest subnetmatch for the
incoming connection.
Ifthe number ofbits in the subnet mask match,thealgorithm thenchooses the virtual server thathas a port
match.
Ifno port matchis found, thealgorithm uses thewildcard server, ifa wildcard virtualserveris defined.
A wildcard address has a netmask lengthofzero, thus ithas a lower precedencethan any matching virtual
server with a defined address.
o SOL9038: The Order ofprecedence for localtrafficobject listeners
http://support.f5.com/kb/en-us/solutions/public/9000/000/sol9038.html
o SOL6459: Order ofprecedencefor thevirtualserver matching
http://support.f5.com/kb/en-us/solutions/public/6000/400/sol6459.html
o Specifically:
Specific IP address andspecificport
10.0.33.199:80
Specific IP address andall ports
10.0.33.199:*
Network IP address and specific port
10.0.33.0:8080 Mask 255.255.255.0
Network IP address and allports
10.0.33.0:* Mask 255.255.255.0
All networks and specificport
0.0.0.0:80 Mask 0.0.0.0
All networks and allports
0.0.0.0:* Mask 0.0.0.0
2. - Givena specificconnectivityissue,isolatewherethe problemmightbe accordingtothe
processingorder
o Order ofprecedencefor virtualserver matching
o Overview ofpacket tracing with the tcpdumputility
o Overview ofTCP connection set-up for BIG-IPLTMvirtual server types
o Manual Chapter: Introducing BIG-IPLocalTraffic Manager
Objective 1.02 Identifythe reasonforanunresponsive virtual server
- Determine the state of avirtual server(offline,enabled,etc.)
o At any time, you can determine the status ofa virtual server or virtual address,using the
Configuration utility. You can find this information by displaying the list of virtual servers or
virtual addresses and viewing the Status column, or by viewing the Availability property of the
object.
o The Configuration utility indicates status by displaying one of several icons,distinguished by
shape and color:
The shape of the icon indicates the status that the monitor has reported for that node.
The color of the icon indicates the actual status ofthe node.
Status
indicator
Explanation
The virtual server orvirtual address is enabledandable to receive traffic.
The virtual server orvirtual address is enabledbut is currently unavailable. However,the virtual serveror
virtual address might become available later,with nouser action required.
An example ofa virtual serveror virtual address showingthis status is when the objects connectionlimit
has been exceeded. Whenthe numberof connections falls belowthe configuredlimit,the virtual serveror
virtual address becomes available again.
The virtual server orvirtual address is enabledbut offline because an associatedobject has markedthe
virtual server orvirtual address as unavailable.Tochange the status so that the virtual serveror virtual
address can receive traffic,youmust activelyenable the virtual serveror virtual address.
The virtual server orvirtual address is operational but set toDisabled. To resume normal operation, you
must manually enable thevirtual server orvirtual address.
The status of the virtual serveror virtual address is unknown. (Status is typically “unknown” becauseit
does not havean object to baseit’s status on (no pool assigned). Server will still accept client
connections and could almost beconsidered “green circle”. SomeconfigurationsuseiRules or
HTTPClass profiles toselect from multiplepools
- Determine if avirtual serverisconfiguredforthe properlisteningport (highlighted below)
- Determine if avirtual serverisconfiguredwiththe properIPaddressconfiguration(highlighted
below)
3. - Determine if the virtual serverisconfiguredwiththe appropriate profiles
o Ifit is an HTTP VS, it willrequire a TCP and HTTP profiles.
o Ifit is an HTTPS VS, it willrequireTCP, HTTP, andSSL (client) profiles.
IfSSL is requiredfor server sidecommunication, itwill alsorequirean SSL(server) profile
Sometimes a VS (client) or pool member (server) gets configured for SSL, butthings don’tseemto work, check
that the appropriate SSLprofiles areapplied.
- Determine if the pool configurationhasaneffectonthe virtual state
o Virtual Server status is determinedby assigned pool status
o Pool status is determinedby pool memberstatus (pool needs a minimum of1 availablepool member to bemarked
available)
o Pool member status is determined by nodestatus (typically just ICMP)
- Determine whichtoolstouse inordertodiagnose the issue
o Start by logging into theBIG-IP
o See ifthe BIG-IP canping thehost ofthepool member service (node)
IfPing success telnet to poolmember (IP:Port)
Troubleshoothealthmonitor
Else troubleshoot connectivityto node
- Explainthe difference betweenthe virtual serversstatusdefinitions
o See statusindicatortable
- Additional troubleshooting information:
o https://devcentral.f5.com/wiki/AdvDesignConfig.TroubleshootingLtmMonitors.ashx
o http://www.fir3net.com/Big-IP-F5-LTM/big-ip-ltm-health-monitors.html
Objective 1.03 Identifythe reasonforanunresponsivepool member.
- Discussthe effectsof healthmonitorsonthe statusof pool members/nodes
- Determine the state andavailabilityof the pool member/nodeinquestion
- Verifythe pool member/node Rationconfiguration
- Verifythe pool member/node connectionconfigurationandcount
Objective 1.04 Identifyapersistence issue
- Explainthe conceptof “persistence”
- Verifythe type of persistence of profile assignedtothe virtual serverinquestion
- Validate the expectedpersistencebehavior
- Differentiate betweenfallbackandprimarypersistence
- Use the appropriate tool totroubleshootpersistence
Section 2: 10% Troubleshootbasic hardwareissues
Objective 2.01 Perform an End User Diagnostic and interpret the output
4. - RebootandF5 platformintothe EUD
o SOL7172: Overview oftheEnd UserDiagnostics software
o ReleaseNote: End-User Diagnostics ReleaseNotes
- Downloadthe outputfromthe unitan EUD was runon
- Interpretthe outputfroman EUD anddetermine if the testpassedorfailed
Objective 2.02 Interpretthe LCD WarningMessages
- Locate the LCD on an F5 Platform
- Correlate the LCD message tomessage inthe correspondinglogfile
- Identifywhichtasksthe buttonsonthe LCD perform
Objective 2.03 Identifyapossiblehardware issuewithinthe logfiles
- Indicate whichlogswouldcontaindebugginginformation
/var/log/messages System Information
/var/log/pktfilter Packet Filter Information
/var/log/ltm Local TrafficInformation
/var/log/gtm Global Traffic Information
/var/log/em Enterprise Manager Information
- Givena logfile,determine the nature of ahardware issue
- Givena possible issue,determine whichlogfileentriestoreview
Objective 2.04 Performa failovertoastandbybox underthe appropriate circumstances
- Explain,underwhichcircumstances,afailoverwouldbe usedtodetermineif anissue is
software orhardware related
- Use failoverasa troubleshootingstepinanappropriate situation
- Describe the consequencesof performingafailover (mirroredconnections,persistent
connections)
o Connection mirroring is notrecommendedon a virtual server with client side SSL,becausetheconnection willhave tobe
renegotiatedafter the failover anyway.
o All other virtualservers with connection mirroring and/or persistencewill behonoredas thoseconnection tables are
replicated betweenBIG-IP devices
Section 3: 9% Troubleshootbasic performanceissues
Objective 3.01 Performa packetcapture withinthe contextof a performance issue
- Determine an appropriate locationtotake the capture
o One method is to startin the middle,typically atthe BIG-IP. Capture clientsidetraffic and server
sidetraffic. Compare the two to discover anomalies.
o Another method (depends on configuration and resources),i s a clientsideapproach. Performa
packet capture on the clientcomputer while accessingapplication through BIG-IP and perform
another packet capture while accessingthe application directly on the same clientcomputer.
Compare the two to discover anomalies.
o Sometimes a combination of the two is required to gather a full understandingof the problem.
o Filter packet captures by interface or VLAN, and hosts in question (clientIP, VIP, Server IP/s)
- Determine the appropriatetime totake the capture
5. o Packetcapture shouldbe performed
- Determine anappropriate tool touse
- Ensure the packetcapture tool has the capacityto capture (drive/app)
- Narrowthe scoped/contextof informationbeinggathered
o The full syntax of the tcpdump command may be listed by runningman tcpdump on the
command line. For most troubleshooting,the –i flagto specify an interface and several filters are
sufficient. On BIG-IP,the “interface” is usually theVLAN name (although you may use eth0 to
dump on the management interface). VLAN names are case-sensitive. Some examples of filters
to useare:
host x.x.x.x (where x.x.x.x is an IP address)
port zz (where zz is a tcp port number)
icmp, arp (protocol types)
o Filters may be combined with Boolean logic (and,not, or).
o So, some typical tcpdump commands would be:
tcpdump –i internal host10.10.1.10 and port 80
tcpdump –i vlan502 host10.20.1.50 and not port 22
tcpdump –i DMZ port 25
tcpdump –i vlan464 port80 and not host 10.30.1.75
tcpdump –i DMZ_Transithost 10.40.1.10 or host 10.40.1.11
o These various combinationswill allowyou to pinpointthe traffic flowyou are trying to observe.
One session should berun on the external or transitVLAN, and another session should berun on
the internal or server-sideVLAN in order to capture the entire flowof traffic back and forth.
o Tcpdump captures may also bewritten to a fileusingthe –w flag. See the tcpdump man page for
further info. It is recommended to use the /var/tmp directory for the output.
- Givena scenario,determine whethera packetcapture isappropriate
Objective 3.02 Use BIG-IPtoolsinorderto identifypotentialperformance issues
- Differentiate betweenperformanceissuestypes(i.e.Latency,Congestion,brokencontent)
- Establishthe frequencyof agivenissue (random, continuous,isolated,intermittent,repetitive
intervals)
- Explainhowtoget performance statisticsinadditiontothose showninthe dashboard
(Overview–Performance)
Section 4: 7% Troubleshootbasic device management connectivity issues
Objective 4.01
Verifyremote connectivitytothe box inorderto determine the cause of a
managementconnectivityissue.
- Isolate potentialcausesof basicnetworkconnectivityissues,givenscenariosrelatedto:
o Clientconfiguration
o Clientnetworkaccess
o Device network access
o Networktopologies
- Applyconnectivitytroubleshootingtools(i.e.ping,traceroute,http/httpsavailability,remote
shell access,networkbasedconsoleaccess) inthe appropriate situation
6. Objective 4.02
Checkand interpretportlockdownsettingsinordertodetermine the cause of a
managementconnectivityissue
- Givena scenario,review portlockdownsettingsonthe Self-IPtodetermine the cause of the
issue
- Describe appropriate use casesforthe use of port lockdown
Objective 4.03
Checkand interpretpacketfiltersinordertodetermine the cause of a
managementconnectivityissue
- Determine whetherafilterisenabled
o GUI: Network > Packet Filter > General >
In the properties section,a box will indicate
whether the packet filtering functionality is
enabled or not
o Bigpipe:
- Interpretapacket filterrule listinagivensituation
o
Objective 4.04
Giventhe use of a remote authenticationserver,verifyproperDNSsettingsin
orderto diagnose aconnectivityissue
- Givena suspectedDNSissue,use appropriate toolstoverifypropersettings
- Givena suspectedDNSissue,use appropriate toolstoverifyDNSresponse
Section 5: 14% Open a supportticket with F5
Objective 5.01
Identitythe appropriate supportingcomponentsandseverity levelsforanF5
supportticket
- Identifythe necessarycomponentsforall supportingcases(QkviewuploadedtoiHealth/or
attachedto case,serial numberof device,problemdescription,othersupportingdata)
- Identifyseveritylevelsandthe associated responsetimes
- Additional Information:
o http://support.f5.com/kb/en-us/solutions/public/0000/100/sol135.html
Objective 5.02 Givenan issue,determinethe appropriate severity
- Givenan issue,determinethe appropriate severity
7. Objective 5.03 Provide quantitative andrelevantinformationappropriateforagivenissue
- Distinguishbetweenqualitative/quantitative statementsinordertoassemble anaccurate
problemdescription
- Distinguishbetweenrelevant/irrelevantinformationinordertoassemble anaccurate problem
description
Objective 5.04 Givena scenario,determine the properF5escalationmethod
- Givena scenario,determine the properF5escalationmethod
Section 6: 10% Identify and report currentdevice status
Objective 6.01 Reviewthe networkmapinordertodetermine the statusof objectsonthe box
- Explainthe statusiconsof objectsonthe map
o The network map presents a visual hierarchy of the names and status of virtual servers,pools,
pool members, and iRules defined on the system. You can click thename of IP address in the
map to open the properties screen of that object. The map shows all objects in context, starting
with the virtual servers atthe top. The settings in display options determine which objects are
included. When you position the cursor over an object, the system presents hover text
containinginformation aboutthe object. Although a pool or pool member might be referenced
in an iRule,they are not included on the map.
o The system arranges virtual servers alphabetically and their depending objects in a hierarchy
Virtual Server
Pools assigned by HTTP classes
8. That pool’s members
iRules statically assigned
Default pool
That pool’s members
- Explainwhatvirtual servers,pools,nodes,andpool membersare
o Each of the actual servers used for clienttraffic aredefined on your BIG-IP system and areknown
as pool members. Each pool member will includetheserver’s IP address and port. You can
define pool members with their host name and if the BIG-IP system can resolvethe name.
Similarly,the servicename can be used instead of the port valueif a standard portis beingused.
Frequently, servers are located within networks that use private(RFC 1918) address and
physically isolated from public networks. This allows theuse of the many security features of the
BIG-IP system. Pool members aredefined as you create and modify pools.
o The devices represented by the IP addresses of pool members are called nodes. Sincenodes only
have an IP address,they may represent multiplepool members. Nodes are typically notdefined
directly. Rather, as pool members are defined, the associated nodes arecreated automatically.
Status
indicator
Explanation
The node is enabledandable to receive traffic.
The node is enabledbut is currentlyunavailable.However, the node might becomeavailable
later, with no user action required. An example of an unavailable node becomingavailable
automaticallyis when thenumber ofconcurrent connections tothe node no longerexceeds the
value definedin the nodes ConnectionLimit setting.
The node is enabledbut offline because an associatedmonitorhas markedthenode as down. To
change the status so that thenode canreceive traffic,user interventionis required.
The node is set toDisabled, although a monitorhas markedthe node as up. Toresume normal
operation, youmust manuallyenable the node.
The node is set toDisabledandis down. To resume normal operation,youmust manually enable
the node
The node is set toDisabledandis offline either because a user disabledit, or a monitor has
markedthe node as down. Toresume normal operation,youmust manually enable the node.
The status of the node is unknown. Sample reasons for unknown node status are:
The node has nomonitor associatedwith it.
Monitor results are not available yet.
The nodes IP address is misconfigured.
The node has been disconnectedfrom the network.
o A pool is a group of pool members. With few exceptions, all the members of a given pool host
the same content. Pools arenamed, and likemost other objects on BIG-IP systems, their names
can begin with a letter or underscore, can contain numbers and cannot contain spaces. In
addition to members, pools also havetheir own load balancingmethod, monitors and other
features that are defined when the pool is created or modified. You can also viewor reset
statisticson pools and their members. When a new connection is initiated to a virtual server that
is mapped to a pool,various criteria,includingthepool’s load balancingmethod, may be used to
determine which member to use for that request.
9. o Virtual Servers are the primary mechanismthe BIG-IP system uses to process and track traffic.
Each content sitethat a BIG-IP system manages must be associated with at leastone virtual
server. Like pools,virtual server definitionsincludea name, and IP address and a port. Beyond
that, virtual servers havemany features that allowyou to choosehow traffic is processed.
Objective 6.02 Use the dashboardto gauge the current runningstatusof the system.
- Interpreteachof the statistictypesdisplayedbythe dashboard
- Givena situation,predictthe appropriatedashboardstatistics
Objective 6.03 Reviewlogfilesinordertogauge the current operational statusof the device.
- Givenlogfile snippets, describe aneventsequence
- Givenlogfile snippets,identifycritical events
Objective 6.04 Use iAppsAnalyticstogauge the currentrunningstatusof application.
- Explainthe purpose of iAppsAnalytics
o iApps analyticsprovidereal-timeapplication performancestatisticsas well as diagnostic and
troubleshootinginformation such as application responsetime, network latency, and connection
statisticsfor the entire application,virtual server,pools,and nodes.
- Describe howtocapture applicationstatistics
- Givena currentrunningstatus,recognize significantstatistics
Section 7: 14% Maintain systemconfiguration
Objective 7.01 Create and restore aUCS archive underthe appropriate circumstances.
- Discuss scenariosinwhichrestoringaUCS archive isappropriate
- Discussthe tasksinvolvedinsuccessfullyrestoringaUCS archive
- Givena scenario,discusswhenitisappropriate tocreate a UCS archive
Objective 7.02
Identifythe componentsandmethodsassociatedwithautomatingand
schedulingtaskswiththe EnterpriseManager.
- Identifywhichtaskscanbe automatedusingEM
- Identifywhichsub-tasksexist(i.e.install ahotfix butnotrebootintoanewlyupgradedvolume,
etc.)
- Outline EM’smethodof creating automatedUCSarchives
- Describe EM’s behaviorwhenencounteringtaskfailuresonspecificdevices
Objective 7.03 Automate andschedule tasksusingEnterpriseManager.
- Discussthe strategyfor deployingahotfix fromEMto multiple highavailability(HA) pairs
- DiscusshowEM can be usedtotrack a configurationchange ona manageddevice
- Discusshowto use EM to determine SSLcertificationexpirationonmanageddevices
Objective 7.04 Manage software images
- Givenan HA pair,describe the appropriate strategyfordeployinganew software image
- Describe the potential impactof bootingadevice intoanothervolume
10. - Discusscommonissuesrelatedtothe migrationof adevice toa new software version
Section 8: 17% Manage existing systemand application services
Objective 8.01 Modifyand manage virtual servers
- Givena proposedvirtual serverconfigurationchange,outline the scope of the change andfor
whichconnectionsthose changeswill affect(active connections,new connections,persisted
sessions)
- Givena descriptionof anapplication,identifythe correctvirtual serverconfiguredforit
(HTTP/HTTPS,TCP/UDP,VLANs-enabled,route-domain)
- Givena situationwhere avirtual configurationchange didnotappeartoimmediatelytake
effect,determinewhy
Objective 8.02 Modifyand manage pools.
- Distinguishbetweendisablingamemberandforcingitdown
o Disabling a pool member willstillallow PERSISTENTor ACTIVEconnections
o Forcing a poolmember downwill only allowACTIVEconnections
- Determine use cases fordisablingamember
- Determine use casesforforcingdownamember
- Givena situationwhere apool memberhasbeendisabledbutstillappearstobe receiving
traffic,determinethe cause
- Articulate the characteristicsof apool memberthathas beendisabledorforcedoffline(Suchas
for newconnections,persistedconnections,etc.)